KASAN: use-after-free Read in inet_shutdown

[syzbot]

Hello,

syzkaller hit the following crash on
ce3c209f6733e2cff9335bb1b2ac847fa823410a
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.


IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+347bd5...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.

==================================================================
BUG: KASAN: use-after-free in inet_shutdown+0x2d4/0x350
net/ipv4/af_inet.c:819
Read of size 4 at addr ffff8801d15e5200 by task syz-executor0/6148

CPU: 1 PID: 6148 Comm: syz-executor0 Not tainted 4.15.0-rc7-mm1+ #56
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23b/0x360 mm/kasan/report.c:412
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
inet_shutdown+0x2d4/0x350 net/ipv4/af_inet.c:819
pppol2tp_session_close+0x92/0xf0 net/l2tp/l2tp_ppp.c:430
l2tp_tunnel_closeall+0x305/0x410 net/l2tp/l2tp_core.c:1288
l2tp_udp_encap_destroy+0x95/0x100 net/l2tp/l2tp_core.c:1311
udpv6_destroy_sock+0x161/0x190 net/ipv6/udp.c:1407
sk_common_release+0x6b/0x2f0 net/core/sock.c:2999
udp_lib_close+0x15/0x20 include/net/udp.h:203
inet_release+0xed/0x1c0 net/ipv4/af_inet.c:427
inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432
sock_release+0x8d/0x1e0 net/socket.c:595
sock_close+0x16/0x20 net/socket.c:1123
__fput+0x327/0x7e0 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x199/0x270 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x275/0x2f0 arch/x86/entry/common.c:165
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x9e/0xa0
RIP: 0033:0x452df9
RSP: 002b:00007fed7ec85c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 000000000071bea0 RCX: 0000000000452df9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000017
RBP: 000000000000004e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ee7f0
R13: 00000000ffffffff R14: 00007fed7ec866d4 R15: 0000000000000000

Allocated by task 6154:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541
sock_alloc_inode+0x70/0x300 net/socket.c:244
alloc_inode+0x65/0x180 fs/inode.c:209
new_inode_pseudo+0x69/0x190 fs/inode.c:890
sock_alloc+0x41/0x270 net/socket.c:565
__sock_create+0x148/0x850 net/socket.c:1223
sock_create net/socket.c:1299 [inline]
SYSC_socket net/socket.c:1329 [inline]
SyS_socket+0xeb/0x1d0 net/socket.c:1309
entry_SYSCALL_64_fastpath+0x29/0xa0

Freed by task 6154:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kmem_cache_free+0x86/0x2b0 mm/slab.c:3743
sock_destroy_inode+0x56/0x70 net/socket.c:274
destroy_inode+0x15d/0x200 fs/inode.c:266
evict+0x57e/0x920 fs/inode.c:570
iput_final fs/inode.c:1515 [inline]
iput+0x7b9/0xaf0 fs/inode.c:1542
dentry_unlink_inode+0x4b0/0x5e0 fs/dcache.c:375
__dentry_kill+0x3b7/0x6d0 fs/dcache.c:572
dentry_kill fs/dcache.c:613 [inline]
dput.part.23+0x6fb/0x830 fs/dcache.c:823
dput+0x1f/0x30 fs/dcache.c:787
__fput+0x51c/0x7e0 fs/file_table.c:227
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x199/0x270 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x275/0x2f0 arch/x86/entry/common.c:165
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x9e/0xa0

The buggy address belongs to the object at ffff8801d15e5200
which belongs to the cache sock_inode_cache of size 992
The buggy address is located 0 bytes inside of
992-byte region [ffff8801d15e5200, ffff8801d15e55e0)
The buggy address belongs to the page:
page:ffffea0007457940 count:1 mapcount:0 mapping:ffff8801d15e5200
index:0xffff8801d15e5ffd
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801d15e5200 ffff8801d15e5ffd 0000000100000003
raw: ffffea00074576a0 ffffea0006eb5260 ffff8801d986c9c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8801d15e5100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801d15e5180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801d15e5200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801d15e5280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d15e5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.

[syzbot]

syzbot has found reproducer for the following crash on upstream commit
4bf772b14675411a69b3c807f73006de0fe4b649 (Fri Feb 2 01:48:47 2018 +0000)
Merge tag 'drm-for-v4.16' of git://people.freedesktop.org/~airlied/linux

So far this crash happened 14 times on mmots, net-next, upstream.
C reproducer is attached.
syzkaller reproducer is attached.

Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620

.config is attached.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+347bd5...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

==================================================================
BUG: KASAN: use-after-free in inet_shutdown+0x2d4/0x350
net/ipv4/af_inet.c:819

Read of size 4 at addr ffff8801c008f540 by task syzkaller114342/5197

CPU: 0 PID: 5197 Comm: syzkaller114342 Not tainted 4.15.0+ #292

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53

print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429

inet_shutdown+0x2d4/0x350 net/ipv4/af_inet.c:819
pppol2tp_session_close+0x92/0xf0 net/l2tp/l2tp_ppp.c:430

l2tp_tunnel_closeall+0x305/0x410 net/l2tp/l2tp_core.c:1285
l2tp_udp_encap_destroy+0x95/0x100 net/l2tp/l2tp_core.c:1308

udpv6_destroy_sock+0x161/0x190 net/ipv6/udp.c:1407
sk_common_release+0x6b/0x2f0 net/core/sock.c:2999
udp_lib_close+0x15/0x20 include/net/udp.h:203
inet_release+0xed/0x1c0 net/ipv4/af_inet.c:427

inet6_release+0x50/0x70 net/ipv6/af_inet6.c:435
sock_release+0x8d/0x1e0 net/socket.c:595
sock_close+0x16/0x20 net/socket.c:1149

__fput+0x327/0x7e0 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x199/0x270 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x275/0x2f0 arch/x86/entry/common.c:165
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x9e/0xa0

RIP: 0033:0x44bbd9
RSP: 002b:00007f8e19861ce8 EFLAGS: 00000206 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 00000000006ddc24 RCX: 000000000044bbd9
RDX: 000000000044bbd9 RSI: 0000000000000000 RDI: 0000000000000020
RBP: 00000000006ddc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 00007ffc84c0bb3f R14: 00007f8e198629c0 R15: 000000000000000d

Allocated by task 5216:

save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]

kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3540

sock_alloc_inode+0x70/0x300 net/socket.c:244
alloc_inode+0x65/0x180 fs/inode.c:209

new_inode_pseudo+0x69/0x190 fs/inode.c:891
sock_alloc+0x41/0x270 net/socket.c:565
__sock_create+0x148/0x850 net/socket.c:1249
sock_create net/socket.c:1325 [inline]
SYSC_socket net/socket.c:1355 [inline]
SyS_socket+0xeb/0x1d0 net/socket.c:1335
entry_SYSCALL_64_fastpath+0x29/0xa0

Freed by task 5291:

save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]

kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3484 [inline]
kmem_cache_free+0x83/0x2a0 mm/slab.c:3742

sock_destroy_inode+0x56/0x70 net/socket.c:274
destroy_inode+0x15d/0x200 fs/inode.c:266

evict+0x57e/0x920 fs/inode.c:571
iput_final fs/inode.c:1516 [inline]
iput+0x7b9/0xaf0 fs/inode.c:1543
dentry_unlink_inode+0x4b0/0x5e0 fs/dcache.c:371
__dentry_kill+0x3de/0x700 fs/dcache.c:575
dentry_kill fs/dcache.c:616 [inline]
dput.part.21+0x6fb/0x830 fs/dcache.c:826
dput+0x1f/0x30 fs/dcache.c:790

__fput+0x51c/0x7e0 fs/file_table.c:227
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x199/0x270 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x275/0x2f0 arch/x86/entry/common.c:165
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x9e/0xa0

The buggy address belongs to the object at ffff8801c008f540

which belongs to the cache sock_inode_cache of size 992
The buggy address is located 0 bytes inside of

992-byte region [ffff8801c008f540, ffff8801c008f920)

The buggy address belongs to the page:

page:ffffea00070023c0 count:1 mapcount:0 mapping:ffff8801c008f0c0
index:0xffff8801c008fffd
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801c008f0c0 ffff8801c008fffd 0000000100000003
raw: ffffea00070023a0 ffffea00070024a0 ffff8801d9fe6380 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8801c008f400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c008f480: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801c008f500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8801c008f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c008f600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

[syzbot]

> #syz test:
> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git

Your 'test:' command is accepted, but please keep
syzkall...@googlegroups.com mailing list in CC next time. It serves as
a history of what happened with each bug report. Thank you.

> master

> On 16 January 2018 at 18:30, syzbot

> <syzbot+347bd5...@syzkaller.appspotmail.com> wrote:
>> Hello,

>> syzkaller hit the following crash on
>> ce3c209f6733e2cff9335bb1b2ac847fa823410a
>> git://git.cmpxchg.org/linux-mmots.git/master

>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.

>> Unfortunately, I don't have any reproducer for this bug yet.

>> IMPORTANT: if you fix the bug, please add the following tag to the
>> commit:
>> Reported-by: syzbot+347bd5...@syzkaller.appspotmail.com

>> It will help syzbot understand when the bug is fixed. See footer for
>> details.
>> If you forward the report, please keep this part and the footer.

>> ==================================================================
>> BUG: KASAN: use-after-free in inet_shutdown+0x2d4/0x350
>> net/ipv4/af_inet.c:819

>> Read of size 4 at addr ffff8801d15e5200 by task syz-executor0/6148

>> CPU: 1 PID: 6148 Comm: syz-executor0 Not tainted 4.15.0-rc7-mm1+ #56

>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:17 [inline]
>> dump_stack+0x194/0x257 lib/dump_stack.c:53

>> print_address_description+0x73/0x250 mm/kasan/report.c:256
>> kasan_report_error mm/kasan/report.c:354 [inline]
>> kasan_report+0x23b/0x360 mm/kasan/report.c:412
>> __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432

>> inet_shutdown+0x2d4/0x350 net/ipv4/af_inet.c:819
>> pppol2tp_session_close+0x92/0xf0 net/l2tp/l2tp_ppp.c:430

>> l2tp_tunnel_closeall+0x305/0x410 net/l2tp/l2tp_core.c:1288
>> l2tp_udp_encap_destroy+0x95/0x100 net/l2tp/l2tp_core.c:1311

>> udpv6_destroy_sock+0x161/0x190 net/ipv6/udp.c:1407
>> sk_common_release+0x6b/0x2f0 net/core/sock.c:2999
>> udp_lib_close+0x15/0x20 include/net/udp.h:203
>> inet_release+0xed/0x1c0 net/ipv4/af_inet.c:427

>> inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432
>> sock_release+0x8d/0x1e0 net/socket.c:595
>> sock_close+0x16/0x20 net/socket.c:1123

>> __fput+0x327/0x7e0 fs/file_table.c:209
>> ____fput+0x15/0x20 fs/file_table.c:243
>> task_work_run+0x199/0x270 kernel/task_work.c:113
>> tracehook_notify_resume include/linux/tracehook.h:191 [inline]
>> exit_to_usermode_loop+0x275/0x2f0 arch/x86/entry/common.c:165
>> prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
>> syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
>> entry_SYSCALL_64_fastpath+0x9e/0xa0

>> RIP: 0033:0x452df9
>> RSP: 002b:00007fed7ec85c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000003
>> RAX: 0000000000000000 RBX: 000000000071bea0 RCX: 0000000000452df9
>> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000017
>> RBP: 000000000000004e R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ee7f0
>> R13: 00000000ffffffff R14: 00007fed7ec866d4 R15: 0000000000000000

>> Allocated by task 6154:

>> save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>> set_track mm/kasan/kasan.c:459 [inline]

>> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
>> kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
>> kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541

>> sock_alloc_inode+0x70/0x300 net/socket.c:244
>> alloc_inode+0x65/0x180 fs/inode.c:209

>> new_inode_pseudo+0x69/0x190 fs/inode.c:890
>> sock_alloc+0x41/0x270 net/socket.c:565

>> __sock_create+0x148/0x850 net/socket.c:1223
>> sock_create net/socket.c:1299 [inline]
>> SYSC_socket net/socket.c:1329 [inline]
>> SyS_socket+0xeb/0x1d0 net/socket.c:1309
>> entry_SYSCALL_64_fastpath+0x29/0xa0

>> Freed by task 6154:

>> save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>> set_track mm/kasan/kasan.c:459 [inline]

>> __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
>> kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
>> __cache_free mm/slab.c:3485 [inline]
>> kmem_cache_free+0x86/0x2b0 mm/slab.c:3743

>> sock_destroy_inode+0x56/0x70 net/socket.c:274
>> destroy_inode+0x15d/0x200 fs/inode.c:266

>> evict+0x57e/0x920 fs/inode.c:570
>> iput_final fs/inode.c:1515 [inline]
>> iput+0x7b9/0xaf0 fs/inode.c:1542
>> dentry_unlink_inode+0x4b0/0x5e0 fs/dcache.c:375
>> __dentry_kill+0x3b7/0x6d0 fs/dcache.c:572
>> dentry_kill fs/dcache.c:613 [inline]
>> dput.part.23+0x6fb/0x830 fs/dcache.c:823
>> dput+0x1f/0x30 fs/dcache.c:787

>> __fput+0x51c/0x7e0 fs/file_table.c:227
>> ____fput+0x15/0x20 fs/file_table.c:243
>> task_work_run+0x199/0x270 kernel/task_work.c:113
>> tracehook_notify_resume include/linux/tracehook.h:191 [inline]
>> exit_to_usermode_loop+0x275/0x2f0 arch/x86/entry/common.c:165
>> prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
>> syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
>> entry_SYSCALL_64_fastpath+0x9e/0xa0

>> The buggy address belongs to the object at ffff8801d15e5200

>> which belongs to the cache sock_inode_cache of size 992
>> The buggy address is located 0 bytes inside of

>> 992-byte region [ffff8801d15e5200, ffff8801d15e55e0)

>> The buggy address belongs to the page:

>> page:ffffea0007457940 count:1 mapcount:0 mapping:ffff8801d15e5200
>> index:0xffff8801d15e5ffd
>> flags: 0x2fffc0000000100(slab)
>> raw: 02fffc0000000100 ffff8801d15e5200 ffff8801d15e5ffd 0000000100000003

>> raw: ffffea00074576a0 ffffea0006eb5260 ffff8801d986c9c0 0000000000000000

>> page dumped because: kasan: bad access detected

>> Memory state around the buggy address:

>> ffff8801d15e5100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff8801d15e5180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

>>> ffff8801d15e5200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

>> ^
>> ffff8801d15e5280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff8801d15e5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in pppol2tp_put_sk

IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in pppol2tp_put_sk+0xa8/0xb0
net/l2tp/l2tp_ppp.c:457
Read of size 8 at addr ffff8801c01b6708 by task syz-executor/4295
IPVS: ftp: loaded support on port[0] = 21

CPU: 0 PID: 4295 Comm: syz-executor Not tainted 4.15.0+ #31

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:

<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53

IPVS: ftp: loaded support on port[0] = 21

print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409

__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
pppol2tp_put_sk+0xa8/0xb0 net/l2tp/l2tp_ppp.c:457
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2674 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2900 [inline]
rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917
IPVS: ftp: loaded support on port[0] = 21
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
IPVS: ftp: loaded support on port[0] = 21
invoke_softirq kernel/softirq.c:365 [inline]
irq_exit+0x1cc/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:541 [inline]
smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
IPVS: ftp: loaded support on port[0] = 21
apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938
</IRQ>
RIP: 0033:0x40599b
RSP: 002b:00007fff06a24290 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff11
RAX: 000000000000000d RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 000000000000000d RDI: 000000002076afdb
RBP: 0000000000000001 R08: 0000000000000000 R09: 000000000071bf58
R10: 0000000000000005 R11: 0000000000000246 R12: 0000000000000005
R13: fffffffffffffffe R14: 000000000071ca20 R15: ffffffffffffffff

Allocated by task 4296:

save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]

kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3705 [inline]
__kmalloc+0x162/0x760 mm/slab.c:3714
kmalloc include/linux/slab.h:517 [inline]
kzalloc include/linux/slab.h:701 [inline]
l2tp_session_create+0x100/0xe50 net/l2tp/l2tp_core.c:1738
pppol2tp_session_prep+0x2fc/0xa40 net/l2tp/l2tp_ppp.c:711
pppol2tp_connect+0x74a/0x1550 net/l2tp/l2tp_ppp.c:856
SYSC_connect+0x213/0x4a0 net/socket.c:1639
SyS_connect+0x24/0x30 net/socket.c:1620
entry_SYSCALL_64_fastpath+0x29/0xa0

Freed by task 4295:

save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]

kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3485 [inline]
kfree+0xd6/0x260 mm/slab.c:3800
pppol2tp_put_sk+0x4c/0xb0 net/l2tp/l2tp_ppp.c:456
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2674 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2900 [inline]
rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285

The buggy address belongs to the object at ffff8801c01b6480
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 648 bytes inside of
1024-byte region [ffff8801c01b6480, ffff8801c01b6880)

The buggy address belongs to the page:

page:ffffea0007006d80 count:1 mapcount:0 mapping:ffff8801c01b6000 index:0x0
compound_mapcount: 0
IPVS: ftp: loaded support on port[0] = 21
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c01b6000 0000000000000000 0000000100000007
raw: ffffea0006dab8a0 ffffea0006f87820 ffff8801db000ac0 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8801c01b6600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c01b6680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801c01b6700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801c01b6780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c01b6800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
commit
617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +0000)
Merge tag 'usercopy-v4.16-rc1' of
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

compiler: gcc (GCC) 7.1.1 20170620

Patch is attached.
Kernel config is attached.

[syzbot]

> #syz test:
> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git

Your 'test:' command is accepted, but please keep
syzkall...@googlegroups.com mailing list in CC next time. It serves as
a history of what happened with each bug report. Thank you.

> master

> On 7 February 2018 at 14:27, syzbot

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:

KASAN: use-after-free Read in l2tp_tunnel_del_work

l2tp_core: tunl 3: fd 0 wrong protocol, got 1, expected 17
==================================================================
BUG: KASAN: use-after-free in l2tp_tunnel_del_work+0x22e/0x240
net/l2tp/l2tp_core.c:1292
Read of size 8 at addr ffff8801cdbf2520 by task kworker/u4:14/5459

CPU: 1 PID: 5459 Comm: kworker/u4:14 Not tainted 4.15.0+ #35

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

Workqueue: l2tp l2tp_tunnel_del_work
Call Trace:

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53

print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430

l2tp_tunnel_del_work+0x22e/0x240 net/l2tp/l2tp_core.c:1292
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:542

Allocated by task 13247:

save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551

kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541
sock_alloc_inode+0x70/0x300 net/socket.c:244
alloc_inode+0x65/0x180 fs/inode.c:209

new_inode_pseudo+0x69/0x190 fs/inode.c:891
sock_alloc+0x41/0x270 net/socket.c:565

__sock_create+0x148/0x850 net/socket.c:1249
sock_create net/socket.c:1325 [inline]
SYSC_socket net/socket.c:1355 [inline]
SyS_socket+0xeb/0x1d0 net/socket.c:1335
entry_SYSCALL_64_fastpath+0x29/0xa0

Freed by task 13264:

save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3485 [inline]

kmem_cache_free+0x83/0x2a0 mm/slab.c:3743

sock_destroy_inode+0x56/0x70 net/socket.c:274
destroy_inode+0x15d/0x200 fs/inode.c:266

evict+0x57e/0x920 fs/inode.c:571
iput_final fs/inode.c:1516 [inline]
iput+0x7b9/0xaf0 fs/inode.c:1543
dentry_unlink_inode+0x4b0/0x5e0 fs/dcache.c:371
__dentry_kill+0x3de/0x700 fs/dcache.c:575
dentry_kill fs/dcache.c:616 [inline]
dput.part.21+0x6fb/0x830 fs/dcache.c:826
dput+0x1f/0x30 fs/dcache.c:790

__fput+0x51c/0x7e0 fs/file_table.c:227
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x199/0x270 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x275/0x2f0 arch/x86/entry/common.c:165
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x9e/0xa0

The buggy address belongs to the object at ffff8801cdbf2500
which belongs to the cache sock_inode_cache of size 992
The buggy address is located 32 bytes inside of
992-byte region [ffff8801cdbf2500, ffff8801cdbf28e0)

The buggy address belongs to the page:

page:ffffea000736fc80 count:1 mapcount:0 mapping:ffff8801cdbf2080
index:0xffff8801cdbf2ffd
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801cdbf2080 ffff8801cdbf2ffd 0000000100000003
raw: ffffea0006eb0420 ffffea000736fee0 ffff8801d9fea380 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8801cdbf2400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff8801cdbf2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801cdbf2500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801cdbf2580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cdbf2600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

[syzbot]

> #syz test:
> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git

Your 'test:' command is accepted, but please keep
syzkall...@googlegroups.com mailing list in CC next time. It serves as
a history of what happened with each bug report. Thank you.

> master

> On 7 February 2018 at 15:31, syzbot

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+347bd5...@syzkaller.appspotmail.com

Note: the tag will also help syzbot to understand when the bug is fixed.

Tested on
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
commit
617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +0000)
Merge tag 'usercopy-v4.16-rc1' of
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

compiler: gcc (GCC) 7.1.1 20170620
Patch is attached.
Kernel config is attached.

---
There is no WARRANTY for the result, to the extent permitted by applicable
law.
Except when otherwise stated in writing syzbot provides the result "AS IS"
without warranty of any kind, either expressed or implied, but not limited
to,
the implied warranties of merchantability and fittness for a particular
purpose.
The entire risk as to the quality of the result is with you. Should the
result
prove defective, you assume the cost of all necessary servicing, repair or
correction.

[syzbot]

> #syz test:
> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git

Your 'test:' command is accepted, but please keep
syzkall...@googlegroups.com mailing list in CC next time. It serves as
a history of what happened with each bug report. Thank you.

> master

> On 7 February 2018 at 15:31, syzbot
> <syzbot+347bd5...@syzkaller.appspotmail.com> wrote:

>> Hello,

>> Tested on
>> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
>> commit
>> 617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +0000)
>> Merge tag 'usercopy-v4.16-rc1' of
>> git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

>> compiler: gcc (GCC) 7.1.1 20170620
>> Patch is attached.
>> Kernel config is attached.

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+347bd5...@syzkaller.appspotmail.com

Note: the tag will also help syzbot to understand when the bug is fixed.

Tested on
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
commit
617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +0000)
Merge tag 'usercopy-v4.16-rc1' of
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

compiler: gcc (GCC) 7.1.1 20170620
Patch is attached.
Kernel config is attached.